Tags

The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government computer security standard used to accredit cryptographic modules. FIPS 140-2 defines four levels of physical and software security; level 1 is the lowest, level 4, the highest.

In this article, IBM software engineers Benjamin Fletcher, Eric Barkie, and Bhargav Perepa provide step-by-step instructions for integrating the FIPS 140-2 HTTP/HTTPS client libraries, created by IBM Research, into IBM Worklight Studio hybrid and native iOS and Android apps. Reading this article will earn you the ability to invoke these library APIs to create FIPS 140-2 encrypted network requests and transmit them to FIPS 140-2 certified SSL termination points inside and outside the firewall of private enterprise networks through a reverse proxy architecture.

Independent expert M. Tim Jones takes you on a tour of testing your applications for security capabilities during the development and verification phase, focusing on code that you can touch, test, and inspect manually, as well as code that is perfect for automated review and inspection while under execution. In other words, static and dynamic analyses (plus another type of dynamic testing that goes by several names: vulnerability scanning, network reconnaissance, and penetration testing). In the following image, Jones outlines the different approaches and tools (as a function of the phase in the software life cycle) you can use to secure applications:

In this excellent and quick read, Jones then outlines open source and proprietary tools you can use to take some of the sting out of setup and testing applications during development.

Arxan Technologies, a company providing security solutions for mobile apps, is highlighting its April 2013 announcement from IBM Impact 2013 with a webcast, "Mobile App Security: Integrated Protection with IBM Worklight and Arxan," on September 5, 2013. The original announcement introduced Arxan Mobile Application Integrity Protection for IBM Worklight Apps, an integrated solution that enables IBM Worklight customers to protect their mobile apps against hacking attacks and malware exploits. The proactive application integrity protection is delivered by Arxan's Guarding technology; it enables IBM MobileFirst customers to increase security during the app development and deployment processes.

Arxan Guarding uses injection technology to embed self-defending and tamper-resistant protection mechanisms (a network of Guards) directly into the code; these Guards don't require source code modification, they can be integrated into the IBM Worklight build workflow without disruption to the software development process, they go wherever the app goes, and they can be leveraged in two tiers of protection:

A minimal level for all apps developed with Worklight.

A maximum level, suggested for Worklight apps that have custom native code (hybrid mixed and native app types) or a custom shell.